Logo F2FInterview

Security Interview Questions

Q   |   QA

Authentication Files

1. SimpleAuth.java

  • Contains the main() method.
  • Creates a LoginContext object by passing in a LoginModule configuration id ("JAAS_Module") and an instance of the CallbackHandler interface.
  • The LoginContext reads a configuration file, looking for the configuration ID.
  • Instantiates the specified LoginModules, after finding a match.
  • Each LoginModule is initialized with a Subject, a CallbackHandler, shared LoginModule state, and LoginModule-specific options.
  • Finally, the login process is kicked off by calling the login() method on the LoginContext object.

2. SimpleJAAS.config

  • This file associates configuration IDs with LoginModules and optional properties.

3. SimpleCallbackHandler.java

  • This file implements the CallbackHandler interface and handles the callback events passed by the security service components.

4. SimpleLoginModule.java

  • This file implements the LoginModule interface and interfaces between the user and the CallbackHandler to authenticate the user.
  • It uses two arrays to maintain the set of possible usernames and passwords.
  • The passwords are then compared by passing a PasswordCallback instance to the SimpleCallbackHandler and using the readPassword() method defined in the SimpleCallbackHandler class.

5. SimplePrincipal.java

  • This file provides a bare-bones implementation of the Principal interface.

Authorization Files

1. SimpleAuthz.java

  • This class is identical to the SimpleAuth.java class in all but one respect.
  • After authenticating the user, it attempts a privileged action.
  • To do this, the code obtains a reference to the current Subject and calls the doAsPrivileged() method from that object reference.
  • We pass the Subject reference and an instance of the SimpleAction class into this method.
  • The Java runtime then will take the supplied Subject reference and attempt to execute the privileged action defined within the run() method of the SimpleAction class.

2. SimpleAction.java

  • This class implements the PrivilegedAction interface and defines a single method, run().
  • It attempts to perform a few actions that are restricted to privileged users (as defined by the policy file).
  • If the Subject has the appropriate privileges to perform these actions, the method will execute without any trouble. Otherwise, it throws an exception.

3. SimpleJAAS.policy

  • This file defines the activities for which permission has been granted and which code has permission to perform them (code-level access).
  • These grant statements can further be narrowed to allow only a particular Principal (user-level access).

  • Permissions control access to resources.
  • The JAAS permissions are built on top of the existing java security model.
  • This model is very good for controlling access to resources like sockets and files, but has no concept of URLs.
  • Thus, to apply JAAS to a web application, a new permission class must be created which can be done in 2 ways:

1. Extending java.security.BasicPermission is one option. Using this would tie permissions to literal URLs.
2. Creating a URLPermission class extended the java.security.Permission class and handled wild cards in a manner similar to the java.io.FilePermission class. 

The login process starts when an access request to an application that is running on Java Authentication System. For example, when a web application is accessed by a web client, the web container which runs the application prompts the user to log in upon first request to a source that is protected by the application.

A new instance of LoginContext class is created by Java AS for the user to login. This is based on the policy configuration information for the deployment descriptor of the web application.

Policy configuration is provided to Java AS application by LoginContext to obtain information about the needed authorizations and authentications checks. These checks must be met for the purpose of granting the application accessibility. The checks are implemented by JAAS login modules or by authentication schemes. This process enables the pluggable authentication independent of the code of the application.

In order to link this F2FInterview's page as Reference on your website or Blog, click on below text area and pres (CTRL-C) to copy the code in clipboard or right click then copy the following lines after that paste into your website or Blog.

Get Reference Link To This Page: (copy below code by (CTRL-C) and paste into your website or Blog)
HTML Rendering of above code: